@socketsecurity/cli 1.1.9 → 1.1.13

package/dist/shadow-yarn-bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shadow-yarn-bin.js","sources":["../src/shadow/yarn/link.mts","../src/shadow/yarn/bin.mts"],"sourcesContent":["import path from 'node:path'\n\nimport cmdShim from 'cmd-shim'\n\nimport constants from '../../constants.mts'\nimport {\n  getYarnBinPath,\n  isYarnBinPathShadowed,\n} from '../../utils/yarn-paths.mts'\n\nexport async function installLinks(\n  shadowBinPath: string,\n  binName: 'yarn',\n): Promise<string> {\n  const binPath = getYarnBinPath()\n  const { WIN32 } = constants\n\n  if (WIN32 && binPath) {\n    return binPath\n  }\n\n  const shadowed = isYarnBinPathShadowed()\n\n  if (!shadowed) {\n    if (WIN32) {\n      await cmdShim(\n        path.join(constants.distPath, `${binName}-cli.js`),\n        path.join(shadowBinPath, binName),\n      )\n    }\n    const { env } = process\n    env['PATH'] = `${shadowBinPath}${path.delimiter}${env['PATH']}`\n  }\n\n  return binPath\n}\n","import { promises as fs } from 'node:fs'\n\nimport { debugDir, debugFn, isDebug } from '@socketsecurity/registry/lib/debug'\nimport { logger } from '@socketsecurity/registry/lib/logger'\nimport { spawn } from '@socketsecurity/registry/lib/spawn'\n\nimport { installLinks } from './link.mts'\nimport constants from '../../constants.mts'\nimport { getAlertsMapFromPurls } from '../../utils/alerts-map.mts'\nimport { cmdFlagsToString } from '../../utils/cmd.mts'\nimport { logAlertsMap } from '../../utils/socket-package-alert.mts'\nimport { idToNpmPurl } from '../../utils/spec.mts'\n\nimport type { IpcObject } from '../../constants.mts'\nimport type {\n  SpawnExtra,\n  SpawnOptions,\n  SpawnResult,\n} from '@socketsecurity/registry/lib/spawn'\n\nexport type ShadowYarnOptions = SpawnOptions & {\n  ipc?: IpcObject | undefined\n}\n\nexport type ShadowYarnResult = {\n  spawnPromise: SpawnResult<string, SpawnExtra | undefined>\n}\n\nconst INSTALL_COMMANDS = new Set([\n  'add',\n  'install',\n  'up',\n  'upgrade',\n  'upgrade-interactive',\n])\n\nconst DLX_COMMANDS = new Set(['dlx'])\n\nexport default async function shadowYarn(\n  args: string[] | readonly string[] = process.argv.slice(2),\n  options?: ShadowYarnOptions | undefined,\n  extra?: SpawnExtra | undefined,\n): Promise<ShadowYarnResult> {\n  const {\n    env: spawnEnv,\n    ipc,\n    ...spawnOpts\n  } = { __proto__: null, ...options } as ShadowYarnOptions\n  const terminatorPos = args.indexOf('--')\n  const rawYarnArgs = terminatorPos === -1 ? args : args.slice(0, terminatorPos)\n  const otherArgs = terminatorPos === -1 ? [] : args.slice(terminatorPos)\n\n  // Check if this is a command that needs security scanning\n  const command = rawYarnArgs[0]\n  const needsScanning =\n    command && (INSTALL_COMMANDS.has(command) || DLX_COMMANDS.has(command))\n\n  // Get yarn path\n  const realYarnPath = await installLinks(constants.shadowBinPath, 'yarn')\n\n  const permArgs: string[] = []\n\n  const prefixArgs: string[] = []\n  const suffixArgs = [...rawYarnArgs, ...permArgs, ...otherArgs]\n\n  if (needsScanning && !rawYarnArgs.includes('--dry-run')) {\n    const acceptRisks = Boolean(process.env['SOCKET_CLI_ACCEPT_RISKS'])\n    const viewAllRisks = Boolean(process.env['SOCKET_CLI_VIEW_ALL_RISKS'])\n\n    // Extract package names from command arguments before any downloads\n    const packagePurls: string[] = []\n\n    if (command === 'add' || command === 'dlx') {\n      // For 'yarn add package1 package2@version' or 'yarn dlx package'\n      const packageArgs = rawYarnArgs\n        .slice(1)\n        .filter(arg => !arg.startsWith('-') && arg !== '--')\n\n      for (const pkgSpec of packageArgs) {\n        // Handle package specs like 'lodash', 'lodash@4.17.21', '@types/node@^20.0.0'\n        let name: string\n        let version: string | undefined\n\n        if (pkgSpec.startsWith('@')) {\n          // Scoped package: @scope/name or @scope/name@version\n          const parts = pkgSpec.split('@')\n          if (parts.length === 2) {\n            // @scope/name (no version)\n            name = pkgSpec\n          } else {\n            // @scope/name@version\n            name = `@${parts[1]}`\n            version = parts[2]\n          }\n        } else {\n          // Regular package: name or name@version\n          const atIndex = pkgSpec.indexOf('@')\n          if (atIndex === -1) {\n            name = pkgSpec\n          } else {\n            name = pkgSpec.slice(0, atIndex)\n            version = pkgSpec.slice(atIndex + 1)\n          }\n        }\n\n        if (name) {\n          packagePurls.push(\n            version ? idToNpmPurl(`${name}@${version}`) : idToNpmPurl(name),\n          )\n        }\n      }\n    } else if (\n      ['install', 'up', 'upgrade', 'upgrade-interactive'].includes(command)\n    ) {\n      // For install/upgrade, scan all dependencies from package.json\n      // Note: This scans direct dependencies only. For full transitive dependency\n      // scanning, yarn.lock parsing would be needed (not yet implemented)\n      try {\n        const packageJsonContent = await fs.readFile('package.json', 'utf8')\n        const packageJson = JSON.parse(packageJsonContent)\n\n        const allDeps = {\n          ...packageJson.dependencies,\n          ...packageJson.devDependencies,\n          ...packageJson.optionalDependencies,\n          ...packageJson.peerDependencies,\n        }\n\n        for (const [name, version] of Object.entries(allDeps)) {\n          if (typeof version === 'string') {\n            packagePurls.push(idToNpmPurl(`${name}@${version}`))\n          } else {\n            packagePurls.push(idToNpmPurl(name))\n          }\n        }\n\n        if (isDebug()) {\n          debugFn(\n            'notice',\n            `scanning: ${packagePurls.length} direct dependencies from package.json`,\n          )\n          debugFn(\n            'notice',\n            'note: transitive dependencies not scanned (yarn.lock parsing not implemented)',\n          )\n        }\n      } catch (e) {\n        if (isDebug()) {\n          debugFn(\n            'error',\n            'caught: package.json read error during dependency scanning',\n          )\n          debugDir('inspect', { error: e })\n        }\n      }\n    }\n\n    if (packagePurls.length > 0) {\n      if (isDebug()) {\n        debugFn('notice', 'scanning: packages before download')\n        debugDir('inspect', { packagePurls })\n      }\n\n      try {\n        const alertsMap = await getAlertsMapFromPurls(packagePurls, {\n          nothrow: true,\n          filter: acceptRisks\n            ? { actions: ['error'], blocked: true }\n            : { actions: ['error', 'monitor', 'warn'] },\n        })\n\n        if (alertsMap.size) {\n          process.exitCode = 1\n          logAlertsMap(alertsMap, {\n            hideAt: viewAllRisks ? 'none' : 'middle',\n            output: process.stderr,\n          })\n\n          const errorMessage = `\nSocket yarn exiting due to risks.${\n            viewAllRisks\n              ? ''\n              : `\\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`\n          }${\n            acceptRisks\n              ? ''\n              : `\\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`\n          }`.trim()\n\n          logger.error(errorMessage)\n          // eslint-disable-next-line n/no-process-exit\n          process.exit(1)\n          // This line is never reached in production, but helps tests.\n          throw new Error('process.exit called')\n        }\n      } catch (e) {\n        // Re-throw process.exit errors from tests.\n        if (e instanceof Error && e.message === 'process.exit called') {\n          throw e\n        }\n        if (isDebug()) {\n          debugFn('error', 'caught: package scanning error')\n          debugDir('inspect', { error: e })\n        }\n        // Continue with installation if scanning fails\n      }\n    }\n\n    if (isDebug()) {\n      debugFn('notice', 'complete: scanning, proceeding with install')\n      debugDir('inspect', { args: rawYarnArgs.slice(1) })\n    }\n  }\n\n  const argsToString = cmdFlagsToString([...prefixArgs, ...suffixArgs])\n  const env = {\n    ...process.env,\n    ...spawnEnv,\n  } as Record<string, string>\n\n  if (isDebug()) {\n    debugFn('notice', `spawn: yarn shadow bin ${realYarnPath} ${argsToString}`)\n  }\n\n  const spawnPromise = spawn(realYarnPath, [...prefixArgs, ...suffixArgs], {\n    ...spawnOpts,\n    env,\n    extra,\n  })\n\n  return { spawnPromise }\n}\n"],"names":["WIN32","env","__proto__","name","version","packagePurls","debugFn","error","nothrow","blocked","actions","hideAt","logger","process","args","extra","spawnPromise"],"mappings":";;;;;;;;;;;AAUO;AAIL;;AACQA;AAAM;;AAGZ;AACF;AAEA;;AAGE;;AAKA;;AACQC;AAAI;AACZA;AACF;AAEA;AACF;;ACPA;AAQA;AAEe;;AAMXA;;;AAGF;AAAMC;;;AACN;AACA;AACA;;AAEA;AACA;AACA;;AAGA;;;;;;;;;AAYE;;AAGA;AACE;;AAKA;AACE;AACA;AACA;AAEA;AACE;AACA;AACA;AACE;AACAC;AACF;AACE;AACAA;AACAC;AACF;AACF;AACE;AACA;AACA;AACED;AACF;;;AAGA;AACF;AAEA;AACEE;AAGF;AACF;AACF;AAGE;AACA;AACA;;;AAGE;AAEA;;;;AAIE;;AAGF;AACE;;AAEA;AACEA;AACF;AACF;;;AAOEC;AAIF;;;AAGEA;;AAIsBC;AAAS;AACjC;AACF;AACF;AAEA;;AAEID;;AACsBD;AAAa;AACrC;;AAGE;AACEG;;;AAE0BC;AAAc;AAClCC;AAAsC;AAC9C;;;;AAKIC;;AAEF;AAEA;AACV;AAUUC;AACA;AACAC;AACA;AACA;AACF;;AAEA;;AAEE;AACF;;AAEEP;;AACsBC;AAAS;AACjC;AACA;AACF;AACF;;AAGED;;AACsBQ;AAA2B;AACnD;AACF;;AAGA;;;;;;AAOA;AAEA;AACE;;AAEAC;AACF;;AAESC;;AACX;;","debugId":"ff5e070d-ede1-4e55-b8e9-dfa667ad45a0"}